Picture the scene: you’re at work and you get a notification about a vulnerability that you apparently have to deal with urgently. Do you act on it now, delegate to an analyst, or leave it for later?
If it is the latter, it’s a question of how severe the vulnerability is. You check who it came from and what the issue is regarding. It is at that point you realise it is just the result of someone scanning your network, informing you of what they found, and asking to be paid a bug bounty for it.
Welcome to what has been determined “the beg bounty”. Far from being a scam, these emails are often targeted at businesses where the researcher has done a simple scan for basic misconfigurations or vulnerabilities, followed by a cut and paste of the results into a pre-defined email template.
Sophos principal research scientist Chester Wisniewski highlights this in a recent blog, calling them “ethical disclosures that share all the needed information and hint that it might be nice if you were to send them a reward”. However, there are cases where it can verge on “borderline extortion, demanding payment without even providing enough information to determine the validity of the demand”.
Wisniewski says this type of approach can typically request a payment from $150 up to $2,000 per bug, depending on severity. However, his research determined that none of the vulnerabilities he investigated were worthy of a payment.
“If you receive one of these emails, it is worth taking seriously as you likely have a very poor security posture, but you should not engage with the person soliciting your business,” he says. “Contact a local trustworthy firm to assess your security weaknesses, one that can work with you to prioritise and improve your security situation.”
The CISO experience
Quentyn Taylor, director of information security for Canon Europe, has faced a number of reports and requests for payment for disclosure.
He claims that there are three classes of people who report vulnerabilities. The first type finds something and reports it. The second, the professional researcher who has found a vulnerability, reads the disclosure programme and you make an agreement with for them to publicly disclose under the terms of your vulnerability disclosure programme.
“This [second type] is very useful and people do it as a sideline to make money, and there are great examples of it and it is a very good service,” Taylor says.
However, the third class is those who seek beg bounties, and have typically found “a low-end bug that they scan for on scale”. Typical examples are DMARC and SPF misconfigurations. “They scan for it, say they have found a serious vulnerability and would like some money for it,” says Taylor.
He would often then respond asking if the researcher has read the terms of the vulnerability disclosure programme, pointing out that what the person found was not in scope or in their region.
“We have not had a bad one, we’ve had a lot of good contact on SPF and DKIM and they have not been serious issues, usually just saying thanks and it is all done,” he says. “However, some others say they found it, then ask, ‘When are you going to patch it and when are you going to pay me?’”
Taylor suspects most researchers of this type are spending time in online forums, generating emails and submitting the notifications “in the hope of getting paid”. He says they typically run a scanner through your infrastructure, adding: “I remember when it was impolite to do that, and now they consider it as doing you a favour.”
Is the concern here that these are just a nuisance, and a drain on time and resources? Taylor agrees this is the case, saying that for every five or six reports you get, you can get one that is really good and that you need to look into.
“It is a noise you can do without,” he says. “People hammer you with a message that sounds menacing, but when you look at the issue it is minor. The more serious the vulnerability, the more serious the researcher.”
From the researcher’s perspective
Taylor claims the number of people who have not read the vulnerability disclosure programme is “dizzying” and it is “only the professionals who read it”. From the perspective of the bug bounty broker, how are researchers being educated on this type of disclosure?
Laurie Mercer, security engineer at HackerOne, says his company has clear guidelines on what is rewarded and what is not, and there is “clear scope on vulnerabilities are accepted and what is paid for”.
With regards to submitting a beg bounty, Mercer says there are two main problems: first is trust and knowing who is submitting the vulnerability itself, and the second is related to skills, as he sees a problem with using automated scanners to find vulnerabilities – as to claim a bug bounty should demonstrate some level of technical skill.
However, Mercer is keen to make the point that “hackers don’t create problems, they surface problems that are already there”. HackerOne’s 2020 Hacker report found that nearly two-thirds of hackers say they’ve found bugs and chosen not to report them to the organisation, with 38% of hackers said this was due to “threatening legal language” posted on the organisation’s website regarding the discovery of potential vulnerabilities. Also, 15% said that the company was unresponsive to previous bug reports.
Mercer says the reason companies run vulnerability disclosure programmes “is to find the vulnerabilities that the business cannot find themselves”. Therefore, companies draw up the vulnerability disclosure programme to determine which bug categories they pay for, and if the researcher delivers something that is identified as not being part of a bug bounty programme, the company will not consider paying a fee for it.
“Any serious issue will come through a professional channel like HackerOne,” Mercer says.
Dealing with the issue
How can CISOs and businesses deal with this issue? Canon’s Taylor says education is needed to better understand that unwarranted disclosures do not always get a pay-out. “This is not against professional bug bounty hunters, as some bug bounty hunters are very good and work out how it works, but people at the lower end want to make a quick buck,” he says.
Mercer says that having worked with companies, regulators and governments, there is a process on how to disclose bug notifications, as a CISO’s complaints are typically that they have been submitted against their preference. “If you implement a vulnerability disclosure programme, it will tell the researcher if it is accepted and if you pay bug bounties,” he adds.
It seems the solution lies in the formula of that programme and public policy, and if you inform those budding bug hunters on what is in scope and paid for, then this issue of chancing beg bounty hunters is reduced.